[Rspamd-Users] New to rspamd

Ian Springett ian.springett at giacom.com
Wed Feb 6 09:58:44 UTC 2019 

Outlook autocorrect feature!

It is /local.d/antivirus.conf

-----Original Message-----
From: Users <users-bounces at lists.rspamd.com> On Behalf Of Manuel Garbin
Sent: 06 February 2019 09:57
To: User questions <users at lists.rspamd.com>
Subject: Re: [Rspamd-Users] [ext] Re: New to rspamd

Hi Ian,
change file name to antivirus.conf  ( all lowercase ) 

----- Messaggio originale -----
Da: "Ian Springett" <ian.springett at giacom.com>
A: "User questions" <users at lists.rspamd.com>
Inviato: Mercoledì, 6 febbraio 2019 10:43:58
Oggetto: Re: [Rspamd-Users] [ext] Re:  New to rspamd

This is what I have in place, and it does not work. There is nothing in any logs that even suggests the AV engine has been invoked:

Local.d//Antivirus.conf

clamav {
  action = "reject";
  message = '${SCANNER}: virus found: "${VIRUS}"';
  symbol = "CLAM_VIRUS";
  type = "clamav";
  log_clean = true;
  servers = "127.0.0.1:3310";
  patterns {
    # symbol_name = "pattern";
    JUST_EICAR = '^Eicar-Test-Signature$';
  }
  whitelist = "/etc/rspamd/antivirus.wl"; }

Ss -latn
LISTEN      0      128                                                                   127.0.0.1:3310                                                                                      *:*

-----Original Message-----
From: Users <users-bounces at lists.rspamd.com> On Behalf Of Ralf Hildebrandt
Sent: 06 February 2019 09:29
To: users at lists.rspamd.com
Subject: Re: [Rspamd-Users] [ext] Re: New to rspamd

* Ian Springett <ian.springett at giacom.com>:

> Clamav integration is documented but doesn't work as advertised. 

...

> To wit:
> 
> where is the clamav integration covered?  I have looked at:
> 
> https://rspamd.com/doc/modules/antivirus.html

All I did in /etc/rspamd/local.d/antivirus.conf was:

first {
  action = "reject";
    
  scan_mime_parts = true;
  scan_text_mime = true;
  scan_image_mime = true;
	    
  symbol = "CLAM_VIRUS";
  type = "clamav";
  log_clean = false;
  timeout = 30.0;
  retransmits = 4;
  servers = "127.0.0.1:3310";
  patterns = [{SANE_MAL = 'Sanesecurity\.Malware\.*'}, {CLAM_UNOFFICIAL = 'UNOFFICIAL$'}, {CLAM_OLE2_VBA_MACRO = '^Heuristics\.OLE2\.ContainsMacros$'}];
  whitelist = "/etc/rspamd/antivirus.wl"; }

The section is called "first", since I have a second scanner.
I use patterns to transform the "unoffical" clamav signatures into symbols.

I had to make clamd listen on a TCP socket:

# netstat -tulpen |fgrep 3310
tcp        0      0 127.0.0.1:3310          0.0.0.0:* LISTEN      106        712192245  35943/clamd  

clamd.conf:

...
LocalSocket /var/run/clamav/clamd.ctl
TCPAddr localhost
TCPSocket 3310
FixStaleSocket true
...

Can't help you with SELinux, though.

-- 
Ralf Hildebrandt                   Charite Universitätsmedizin Berlin
ralf.hildebrandt at charite.de        Campus Benjamin Franklin
https://www.charite.de             Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users
--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users
--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users

More information about the Users mailing list